How to enable "BIOS Firmware Updates" as per the fwupd HSI

In Settings > Privacy & Security > Checks

My HSI level 1 fails because “BIOS Firmware Updates” is not enabled.

How do I enable this? I normally get firmware updates through updating normally with dnf. Is this some automatic setting? I’m not sure what it is or how to enable it.

My level 2 checks also fail due to IOMMU Protection and BIOS Rollback Protection. I haven’t looked into how to enable those yet, but generally speaking, there doesn’t appear to be a whole lot of information online about how to enable all of these settings.

Enabling Secure Boot was actually a lot simpler than I thought - all I had to do was reset my keys to factory settings. This was deceiving because my research led me to complicated guides like this: https://youtu.be/2Sb7lhqIrjE (this was the simplest guide I found).

Advice appreciated.

It would have to be the BIOS itself that is not allowing it. You’ll have to look at the settings available for that in your devices BIOS.

edit: I was able to pass HSI L2.

I had to run sudo grubby --update-kernel=ALL --args=“intel_iommu=on” in addition to enabling execution prevention in the BIOS.

I’ll try to get as many HSI 3 checks passed, but they look kinda complicated and I’m unlikely to pass them all.